[MDEV-24942] Server crashes in _ma_rec_pack / _ma_write_blob_record with DEFAULT() on BLOB - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.3(EOL)
Fix Version/s: 10.3.29, 10.4.19, 10.5.10
Component/s: Server
Labels:
- regression

Description

CREATE TABLE t1 (id INT, f MEDIUMTEXT NOT NULL DEFAULT '');

INSERT INTO t1 VALUES (1,'foo'),(2,'bar');

SELECT f FROM t1 GROUP BY id ORDER BY DEFAULT(f);

# Cleanup

DROP TABLE t1;

10.3 8db5274d
#3 <signal handler called>
#4 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:383
#5 0x00005609089bade2 in _ma_rec_pack (info=0x7f4b50098af0, to=0x7f4b501951de '\245' <repeats 200 times>..., from=0x7f4b5003b1c5 '\245' <repeats 11 times>, "\003") at /data/src/10.3/storage/maria/ma_dynrec.c:1005
#6 0x00005609089b801d in _ma_write_blob_record (info=0x7f4b50098af0, record=0x7f4b5003b1c0 "\376\001") at /data/src/10.3/storage/maria/ma_dynrec.c:262
#7 0x0000560908a4b735 in maria_write (info=0x7f4b50098af0, record=0x7f4b5003b1c0 "\376\001") at /data/src/10.3/storage/maria/ma_write.c:284
#8 0x00005609089c7b3d in ha_maria::write_row (this=0x7f4b5003b2f8, buf=0x7f4b5003b1c0 "\376\001") at /data/src/10.3/storage/maria/ha_maria.cc:1211
#9 0x000056090808ebb8 in handler::ha_write_tmp_row (this=0x7f4b5003b2f8, buf=0x7f4b5003b1c0 "\376\001") at /data/src/10.3/sql/sql_class.h:6481
#10 0x0000560908077d4d in end_write (join=0x7f4b50013850, join_tab=0x7f4b50014fc0, end_of_records=false) at /data/src/10.3/sql/sql_select.cc:21130
#11 0x000056090808a270 in AGGR_OP::put_record (this=0x7f4b50015ca8, end_of_records=false) at /data/src/10.3/sql/sql_select.cc:27757
#12 0x000056090808fb2b in AGGR_OP::put_record (this=0x7f4b50015ca8) at /data/src/10.3/sql/sql_select.h:1024
#13 0x0000560908073ad3 in sub_select_postjoin_aggr (join=0x7f4b50013850, join_tab=0x7f4b50014fc0, end_of_records=false) at /data/src/10.3/sql/sql_select.cc:19433
#14 0x000056090807477b in evaluate_join_record (join=0x7f4b50013850, join_tab=0x7f4b50014c30, error=0) at /data/src/10.3/sql/sql_select.cc:19931
#15 0x0000560908074035 in sub_select (join=0x7f4b50013850, join_tab=0x7f4b50014c30, end_of_records=false) at /data/src/10.3/sql/sql_select.cc:19711
#16 0x0000560908073507 in do_select (join=0x7f4b50013850, procedure=0x0) at /data/src/10.3/sql/sql_select.cc:19251
#17 0x000056090804a4cf in JOIN::exec_inner (this=0x7f4b50013850) at /data/src/10.3/sql/sql_select.cc:4124
#18 0x000056090804988e in JOIN::exec (this=0x7f4b50013850) at /data/src/10.3/sql/sql_select.cc:3918
#19 0x000056090804abab in mysql_select (thd=0x7f4b50000d90, tables=0x7f4b50012ce8, wild_num=0, fields=..., conds=0x0, og_num=2, order=0x7f4b50013700, group=0x7f4b50013470, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f4b50013828, unit=0x7f4b50004c58, select_lex=0x7f4b500053e0) at /data/src/10.3/sql/sql_select.cc:4323
#20 0x000056090803c13e in handle_select (thd=0x7f4b50000d90, lex=0x7f4b50004b98, result=0x7f4b50013828, setup_tables_done_option=0) at /data/src/10.3/sql/sql_select.cc:370
#21 0x0000560908002804 in execute_sqlcom_select (thd=0x7f4b50000d90, all_tables=0x7f4b50012ce8) at /data/src/10.3/sql/sql_parse.cc:6316
#22 0x0000560907ff9011 in mysql_execute_command (thd=0x7f4b50000d90) at /data/src/10.3/sql/sql_parse.cc:3847
#23 0x0000560908006b88 in mysql_parse (thd=0x7f4b50000d90, rawbuf=0x7f4b50012ab8 "SELECT f FROM t1 GROUP BY id ORDER BY DEFAULT(f)", length=48, parser_state=0x7f4b60e9d5c0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7840
#24 0x0000560907ff32ec in dispatch_command (command=COM_QUERY, thd=0x7f4b50000d90, packet=0x7f4b50008f11 "", packet_length=48, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1852
#25 0x0000560907ff1c8c in do_command (thd=0x7f4b50000d90) at /data/src/10.3/sql/sql_parse.cc:1398
#26 0x0000560908170295 in do_handle_one_connection (connect=0x56090b6f9090) at /data/src/10.3/sql/sql_connect.cc:1403
#27 0x000056090816fff1 in handle_one_connection (arg=0x56090b6f9090) at /data/src/10.3/sql/sql_connect.cc:1308
#28 0x0000560908b3c073 in pfs_spawn_thread (arg=0x56090b6dc460) at /data/src/10.3/storage/perfschema/pfs.cc:1869
#29 0x00007f4b67388609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#30 0x00007f4b66f64293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Reproducible with MyISAM, InnoDB, Aria.
Non-debug build doesn't crash on my machine, but non-debug ASAN build does, so it's probably just the matter of luck.

The failure started happening on 10.3 after this commit:

commit 8db5274dce7f8710b25ca954559843c9cd812ac5 (origin/10.3, 10.3)

Author: Monty

Date:   Sun Feb 21 20:38:32 2021 +0200

    MDEV-22703 DEFAULT() on a BLOB column can overwrite the default record

Attachments

Issue Links

relates to

MDEV-24958 Server crashes in my_strtod / Value_source::Converter_strntod::Converter_strntod with DEFAULT(blob)

Closed

MDEV-22703 DEFAULT() on a BLOB column can overwrite the default record, which can cause crashes when accessing already released memory

Closed

MDEV-25627 Unexpected warning ER_TRUNCATED_WRONG_VALUE or server crash in get_prefix upon using DEFAULT() on blob

Open

Activity

People

Assignee:: Michael Widenius

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2021-02-22 19:31

Updated:: 2021-05-10 00:02

Resolved:: 2021-03-02 11:03

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.